XMLVerifier can't decode X509 since 4.0.0

[avtobiff]

It is not possible to verify a signed XML payload since signxml 4.0.0.
This works in signxml<4.0.0.

Trying to use XMLVerifier produces the following trace:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/.../flask-saml2/flask_saml2/xml_parser.py", line 44, in __init__
    self.xml_tree = self.parse_signed(self.xml_tree, self.certificate)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.../flask-saml2/flask_saml2/xml_parser.py", line 73, in parse_signed
    return XMLVerifier().verify(xml_tree, x509_cert=certificate).signed_xml
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.../flask-saml2/pyvenv/lib/python3.12/site-packages/signxml/verifier.py", line 434, in verify
    signing_cert = x509.load_pem_x509_certificate(add_pem_header(self.x509_cert))
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.../flask-saml2/pyvenv/lib/python3.12/site-packages/signxml/util/__init__.py", line 162, in add_pem_header
    bare_base64_cert = ensure_str(bare_base64_cert)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.../flask-saml2/pyvenv/lib/python3.12/site-packages/signxml/util/__init__.py", line 85, in ensure_str
    x = x.decode(encoding)
        ^^^^^^^^
AttributeError: 'X509' object has no attribute 'decode'

To reproduce this do the following:

git clone https://github.com/mx-moth/flask-saml2
cd flask-saml2
virtualenv pyvenv
. pyvenv/bin/activate
pip install -r tests/requirements.txt
pip install -e .
pip install --upgrade pyopenssl

Start a python interpreter and run the following:

import defusedxml
from signxml import XMLVerifier
from tests.idp.base import CERTIFICATE

xml_string = '''<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:9000/saml/acs/" ID="_2427a2a09f614f8b9ea1d6fb620ed430" InResponseTo="_00b391e554004ec1b019fff3f426ba19" IssueInstant="2024-08-30T09:58:53.745389+00:00" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8000/saml/metadata.xml</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_2427a2a09f614f8b9ea1d6fb620ed430"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>hLTrojshkS3JRO0WM+nU6eUsX0KOktgH5CVA3xYAbA8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SkRNqDMGjN8NH8aGYJCbFpoQN93+c9Gfa+udW8D7P+w3tJL3JdIN3Vifx3i6B7oIuwsLyOGH8gtHzCVqw0/iaQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3deea41eb8394cb4af1adf3b07e1014b" IssueInstant="2024-08-30T09:58:53.745389+00:00" Version="2.0"><saml:Issuer>http://localhost:8000/saml/metadata.xml</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_3deea41eb8394cb4af1adf3b07e1014b"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>8saGUTsmwg1DkRA74ttWoqG4roUQT1v8aQOa2w7ckyk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>haW67iR59aBZlrwJCkSmxPOzLY8CA9xaLKnghrEQ3knnAD7xIwiAMdv6SpFD8QOEmMcnV42PYP81C8C7Q8oFbg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="http://localhost:9000/saml/metadata.xml">alex@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_00b391e554004ec1b019fff3f426ba19" NotOnOrAfter="2024-08-30T10:13:53.745389+00:00" Recipient="http://localhost:9000/saml/acs/"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2024-08-30T09:55:53.745389+00:00" NotOnOrAfter="2024-08-30T10:13:53.745389+00:00"><saml:AudienceRestriction><saml:Audience>http://localhost:9000/saml/metadata.xml</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2024-08-30T09:58:53.745389+00:00"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="foo" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>bar</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>'''

xml_tree = defusedxml.lxml.fromstring(xml_string)
XMLVerifier().verify(xml_tree, x509_cert=CERTIFICATE)

[kislyuk]

Hello, thank you for reporting this. I have released a fix in v4.0.1, can you please install and see if it fixes the issue you are facing?

(Your repro is not quite complete because from tests.idp.base import CERTIFICATE is importing from a private tests package that is private to your project, but I understand the general idea.)